HIPAA Hosting in Canada: The Same Rules Apply!

July 29, 2016

HIPAA is a big deal in the US for most businesses involved in health and medical related sectors. And if these companies are compliant – and want to outsource HIPAA hosting or store data north of the border – they need to work with a Canadian provider that offers HIPAA compliant managed services.

HIPAA stands for the Health Insurance and Portability Accountability Act of 1996. Its first purpose was to allow patients to obtain new health insurance when switching jobs even if they have a pre-existing condition. It was also the first US Act to systematically regulate what it called Protected Health Information (PHI): personal medical documentation such as bills, claims, prescriptions, lab results, medical opinions, and appointment records. The Act went into effect in 2003 and primarily affects health insurers, sponsored health plans, and medical service providers.

HIPAA also addressed the growth of networked ICTs in the 90s by including provisions regulating standards for electronic PHI (ePHI) transmitted through insurance billing and the digital sharing of medical information. These regulatory efforts became urgent in an era of increasing computerization: electronic databases and online report filing that replaced difficult-to-find, single copy medical charts with electronic documents that are now instantly accessible from virtually anywhere. Not surprisingly, the 90s coincided with a spike in public concern over digitization and public privacy protection.

Today, HIPAA regulations apply similarly to PHI and electronic PHI (ePHI), and the penalties for infractions, in either case, can be steep. According to the American Medical Association, HIPAA minimum penalties run at $100 per violation. Maximum penalties go as high as $50,000 per violation and up to an annual maximum of $1.5 million. “Knowingly” obtaining or disclosing PHI may result in up to five years incarceration – and up to ten years if done for commercial gain.

HIPAA Hosting in Canada for MSPs

The Act has evolved considerably since its implementation in 2003. And knowing some of the changes in underlying HIPAA definitions is critical for Canadian Managed Service Providers (MSPs) providing HIPAA hosting in Canada on behalf of US clients.

Amendments in 2009 and 2013 beefed up HIPAA’s compliance and enforcement provisions and created more rules for dealing with ePHI. The 2013 HIPAA Omnibus Rule distinguished Business Associates from covered entities, and indicated the former were “directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.”

To explain, the original HIPAA Security Rule laid down administrative, technical and physical standards for dealing with ePHI. Initially, these applied to covered entities who were responsible under HIPAA for establishing, enforcing and tracking risk management, breach reporting, data handling and disaster recovery strategies.

The 2013 Omnibus Rule expanded the Security Rule to explicitly include contractors who may only be dealing with ePHI at second or third-hand levels. A June 2013 article from the BakerHostetler law firm titled “HIPAA, Business Associates, and the Cloud” says cloud providers are not HIPAA-exempt. Instead, it suggests custody of sensitive data, and not the degree of access is the guiding principle determining whether an MSP is liable under HIPAA.

The implications of this opinion should be clear: Canadian MSPs who deal with US healthcare companies are in many cases responsible for ensuring they are HIPAA compliant. Failing to do so may put their clients and themselves at risk.

Thankfully, the Security Rule provides some leeway on measures such as what hardware and software to use; what encryption methods to employ; and how to train and certify employees. This flexibility allows MSPs room to implement context-specific compliance appropriate to the scale of their organization. It also avoids locking covered parties into using obsolete technology.

What MSPs Must Specifically do to be Compliant

Cartika and others certified to deliver HIPAA hosting in Canada must meet the following requirements. First, the organization is expected to sign what’s called a “Business Associates Contract” where an MSP takes liability for elements such as infrastructure, data center and managed services.

The HSS Security Papers lay out more detailed guidelines for HIPAA compliance which asks organizations to consider and document “reasonable and appropriate” security measures in making their choices. The papers include discussion of

Access Controls: Features such as user identification, emergency access procedures, automatic logoffs, two-factor identification, and encryption/decryption to ensure safe data transmission where it travels across open networks.

Audit Controls: Advanced logging and log maintenance, and other measures deemed “reasonable and appropriate” to ensure continued network monitoring for privacy breaches and unauthorized access.

Data Integrity: Offsite data backups as part of a disaster recovery plan, as well as consideration of other measures that automatically check data integrity, such as checksum verification, digital signatures, double-keying and message authentication.

The Bottom Line for HIPAA Hosting in Canada

Any US company hosting HIPAA-compliant data in Canada needs a compliant provider. The MSP will be responsible for HIPAA-compliant data encryption, disaster recovery, reporting, vulnerability scanning, and other measures to ensure the integrity and privacy of ePHI. The good news is that Canadian HIPAA accredited providers such as Cartika are well-positioned to help.